b"                                    INSPECTION\n\n\n\n\n U.S. DEPARTMENT OF THE INTERIOR\n WEB HOSTING SERVICES\n\n\n\n\nReport No.: ISD-IS-OCIO-0001-2014      June 2014\n\x0c                   OFFICE OF\n                   INSPECTOR GENERAL\n                   U.S.DEPARTMENT OF THE INTERIOR\n\n\n                                                                                                    JUN 0 4 2014\nMemorandum\n\nTo:\n\n\nFrom:\n\n\nSubject:           Inspection Report - U.S. Department of the Interior Web Hosting Services\n                   Report No. ISD-IS-OCI0-0001-2014\n\n        In early January 2014, the U.S. Department ofthe Interior (DOl) and Office oflnspector\nGeneral (OIG) websites experienced an extended outage of 7 days. These websites, which are\nhosted by the National Park Service (NPS), provide critical information to the general public,\nand their availability contributes to the missions of both DOl and OIG. We initiated an\ninspection to determine the cause of the outage and to identify whether the length of the recovery\nwas appropriate.\n\n       During our inspection, we uncovered multiple reasons and deficiencies that contributed to\nthe website outage at NPS, DOl, and OIG. These included NPS information systems that-\n\n               \xe2\x80\xa2    had not been properly authorized to operate;\n               \xe2\x80\xa2    had outdated system inventories and were missing security documentation; and\n               \xe2\x80\xa2    had insufficient contingency planning to prepare for a major power failure.\n\nIn addition, we found that no written agreements existed between NPS, DOl, and OIG describing\nthe roles and responsibilities of each entity.\n\nBackground\n\n        NPS has over 400 locations throughout the United States whose interconnected networks\nand computer systems are known as the NPS One General Support System (One GSS). NPS has\na web hosting and content management system in its Lakewood, CO, data center referred to as\nthe Denver Data Center Child System (DDC) that manages the content for NPS ' and DOl's\nwebsites. 1 According to the DDC's system documentation, the DDC is a subsystem (child) of\nOne GSS. NPS contracts with a Cloud-based content delivery network (CDNi provider that\ndelivers NPS and DOl web content to the public. Under a 2009 verbal agreement, NPS agreed to\n\n1The  DOC hosts several other DOl websites, including, but not limited to, 0 10 , the Office of the Secretary, and the Office of\nthe Solicitor. Most DOl bureaus, however, do not use NPS or DOl for web hosting services and were not affected by this outage.\n2A CON is an interconnected system of computers on the Internet that provides website content rapidly to numerous users by\n\nduplicating the content on multiple geographically distributed servers and directing the content to users based on proximity.\n\n\n\n                                Office of Audits, Inspections, and Evaluations 1 W ashington, D C\n\x0chost the DOI website in the DDC and continuously maintain the content hosted by the CDN.\nAfter an extended outage of the OIG website in 2012, DOI\xe2\x80\x99s Office of Communications\nsuggested that OIG allow DOI to host and manage the OIG website. OIG verbally accepted\nDOI\xe2\x80\x99s offer in 2012 to share web hosting and content management services, thus migrating\nOIG\xe2\x80\x99s website to DDC; NPS, however, was not informed of this decision.\n\n        On January 1, 2014, the DDC experienced a power outage that affected over 100 servers\nand, in some cases, caused physical damage. As a result of the outage, the DOI and OIG\nwebsites were unavailable between January 1 and January 7, 2014.\n\n       In response to the outage, on January 3, 2014, DOI uploaded a temporary web page to the\nCDN that contained links to the bureau websites unaffected by the outage. Although NPS hosts\nthe OIG website, it does not host the OIG hotline web page; therefore, the hotline page was\nunaffected by the outage. DOI did not include a link to the hotline page on the temporary web\npage.\n\nFindings\n\n        Our inspection revealed several concerns with DOI\xe2\x80\x99s web hosting services, including\ninsufficient assessment and authorization processes and incomplete documentation,\nnoncompliance with contingency planning and testing requirements, and no written\ndocumentation identifying the roles and responsibilities for shared services.\n\nInsufficient Assessment and Authorization Processes and Incomplete Documentation\n\n       During our inspection, we could not determine whether the information systems hosting\nthe NPS, DOI, and OIG websites were included in the One GSS assessment and authorization\n(A&A) boundary, as required by the Federal Information Security Management Act of 2002,\nbecause NPS did not have accurate system inventory documentation. In addition to incomplete\nsystem inventories for identified information system boundaries, we discovered insufficient\ncontingency planning processes, an unauthorized information system, missing baseline\nconfiguration documentation, and a variety of other missing documentation.\n\n       An A&A boundary establishes the scope of protection for organizational information\nsystems and includes the people, processes, and information technologies that are part of the\nsystem. Incomplete documentation of the One GSS boundary represents NPS\xe2\x80\x99 inadequate\nassessment of the system and the data the system hosts. As a result of insufficiently following\nA&A processes defined by Federal regulations and noncompliance with security documentation\nrequirements (see Appendix 1), we cannot rely on the annual assurance statement that NPS\nsigned supporting continuing authorization to operate for One GSS and the DDC.\n\n        According to the National Institute of Standards and Technology (NIST) every\ncomponent of an information system must be a member of an identified information system\nboundary to obtain authorization to operate and that up-to-date system inventories, including\nidentification of parent and child system relationships, are essential to providing authorizing\nofficials an accurate and complete understanding of the system (see Appendix 1). We found that\n\n\n\n                                                                                                  2\n\x0cthe servers hosting the DOI and OIG websites appeared to be included in the system inventory of\nthe DDC A&A boundary, but NPS did not clearly document the parent-child relationship\nbetween One GSS and the DDC. Although the DDC identified itself as a child of the One GSS\ninformation system boundary, One GSS did not identify the DDC as a child system. Therefore,\nOne GSS did not include the DDC and its components in its system inventory. In addition,\ndocumentation for One GSS, including system and inventory documentation, was not kept up to\ndate. As a result, NPS did not know that the DDC hosted the OIG website and therefore did not\ninclude it in the One GSS system inventory.\n\n        We also found that One GSS only inventories systems monitored with Microsoft System\nCenter Configuration Manager (SCCM). SCCM, however, generates an incomplete system\ninventory for One GSS because it excludes all non-Microsoft components. NPS configured\nSCCM to inventory and manage only Microsoft computers and servers, but other documentation\nfor the One GSS boundary indicated the existence of several non-Microsoft components,\nincluding network equipment, websites, and data types. According to NIST, a system inventory\nshould include the entire environment of the operation, including all components of the\ninformation system. NPS only used data from SCCM as documentation for the One GSS\ninventory, making the One GSS inventory wholly incomplete.\n\n         In addition, we determined that the CDN had not been authorized to operate because NPS\nincorrectly believed that contractor systems were not required to be included within an\ninformation system boundary and undergo A&A. NIST and DOI criteria require that all systems,\nincluding contractor systems, operate through the A&A process (see Appendix 1). We also found\nthat the CDN\xe2\x80\x99s baseline configuration for the DOI and OIG websites was set to refresh content\nevery 6 hours, which is a short-lived setting in comparison to the 30-day refresh setting for the\nNPS website. Due to the power outage, the CDN could not communicate with the DDC during\nits refresh interval; the CDN interpreted the outage as an intentional update and purged the DOI\nwebsite, which subsequently purged the OIG website. NPS reported that it had no baseline\nconfiguration documentation to identify why the 6-hour refresh for the DOI and OIG websites\nwas set within the CDN.\n\n        Baseline configurations determine the security control selection process, but NPS could\nnot provide us with baseline information for the CDN. Baselines provide a starting point for\nevaluating the overall risk of the information system and are established after the system owner\nand the owner\xe2\x80\x99s staff have formally reviewed and agreed upon them. Established baseline\nconfigurations and appropriate change control procedures facilitate the risk management process\nto identify and accept or mitigate the risks associated with deviating from that baseline. An\nappropriate A&A package for the CDN should have included a detailed description of system\nconnections and data flow processes and may have alerted NPS to the risk associated with the\nshort-lived baseline configuration for refreshing the content of the DOI and OIG websites.\n\n        Lastly, we could not determine which system security plan was authoritative for the DDC\nbecause NPS manually created, externally maintained, and uploaded its system security plan to\nthe Cyber Security Assessment and Management (CSAM) tool instead of using the automated\nreport generation capability. CSAM is a system used for managing A&A packages that has the\ncapability to automatically create and make updates to the system security plan by incorporating\n\n\n\n                                                                                               3\n\x0call of the latest system updates as input by the system owner. DOI regulations require all systems\nto use CSAM as the authoritative repository for all A&A documentation (see Appendix 1).\n\n       We identified several other required documents missing from CSAM, including\xe2\x80\x94\n\n       \xe2\x80\xa2   contingency plan test results;\n       \xe2\x80\xa2   a continuous monitoring plan;\n       \xe2\x80\xa2   a business impact assessment;\n       \xe2\x80\xa2   a risk assessment report; and\n       \xe2\x80\xa2   results from quarterly control assessments.\n\n         As a result of insufficient A&A processes and incomplete security documentation, NPS\ncould not have effectively set priorities and managed risk according to the NPS, DOI, or OIG\nrisk strategies. NPS officials could not have made a fully informed decision to grant\nauthorization to operate to One GSS using the available information.\n\nNoncompliance With Contingency Planning and Testing Requirements\n\n        NPS could have been better prepared to efficiently respond to and minimize damage and\ndowntime from the outage if it had an appropriate contingency plan in place. NIST guidance\nrequires bureaus and offices to test contingency plans annually (see Appendix 1). These plans\nhelp ensure adequate preparation to cope with the loss of operational capabilities due to a service\ndisruption, such as an act of nature, fire, accident, or sabotage. According to NIST, these plans\nshould cover all key functions, including assessing an agency\xe2\x80\x99s information technology and\nidentifying resources, minimizing potential damage and interruption, developing and\ndocumenting the plan, and testing the plan and making necessary adjustments.\n\n        Our inspection found that the One GSS contingency plan had not been reviewed or\nupdated since December 11, 2008. CSAM did not have contingency plan test documentation for\nthe One GSS boundary, which indicates that the plan has never been tested. Contingency\nplanning is another component of the risk management framework that establishes thorough\nplans, procedures, and technical measures that enable quick and effective system recovery\nfollowing a service disruption.\n\n        NPS documentation stated that the DDC contingency plan has been tested annually as\nrequired, but we concluded that the tests conducted were inadequate. For example, the DDC test\nconducted on June 13, 2013, tested NPS\xe2\x80\x99 security incident response capability to an unauthorized\nuser but not its capability to recover from an outage. Moreover, the DDC test conducted on\nJanuary 10, 2012, tested the validity of the backups for restoring a single server, but the severity\nof the scenario did not trigger activation of the plan. Since neither test scenario activated the\ncontingency plan, NPS had not conducted appropriate testing and was therefore unprepared to\nrespond to the consequences of the outage.\n\n        We also determined that the DDC did not have adequate backup power for the number of\nservers, workstations, and routers it supports to minimize physical damage to equipment. The\nbattery backup only lasted approximately 30 minutes, which was not enough time for NPS\n\n\n                                                                                                  4\n\x0cpersonnel to power down the servers. NPS stated that it did not have a shutdown plan or an\nautomated shutdown capability, which resulted in damage to multiple servers. Basic physical and\nenvironmental protections are required by NIST for the protection of equipment in information\nsystem boundaries such as One GSS and DDC (see Appendix 1).\n\nNo Written Documentation Identifying the Roles and Responsibilities for Shared Services\n\n        Lastly, we determined that NPS, DOI, and OIG do not have written agreements for\nwebsite hosting, system ownership, support to contingency planning, recovery timeframes, or\nfunding. NPS hosts the DOI website under a verbal agreement made in 2009 between individuals\nthat no longer work for DOI, and DOI\xe2\x80\x99s Office of Communications does not know the terms of\nthat agreement. In addition, in 2012, OIG verbally agreed to transfer the hosting and content\nmanagement services of its website to DOI. Prior to this inspection, OIG did not know that NPS\nhosted either the DOI or OIG website.\n\n        Our inspection revealed that NPS and DOI disagree over ownership of the system\nboundary that covers DOI\xe2\x80\x99s website, ownership of the data, and the importance of the websites\xe2\x80\x99\navailability to the public. The prevailing attitude of NPS officials appeared to indicate that a\ntimely recovery of the DOI website was not their priority. Appropriate documentation, such as a\nmemorandum of understanding or a service level agreement, that defined the roles and\nexpectations for NPS, DOI, and OIG, would have alleviated disagreement among the three\nparties, and each entity would have had a clear understanding of its responsibilities related to\nweb hosting and content management services, including the prioritization of system restoration\nin the event of a major outage.\n\nRecommendations\n\n       We recommend that DOI\xe2\x80\x99s OCIO and Office of Communications:\n\n       1. Establish an oversight process to review and improve the effectiveness of A&A\n          activities within DOI;\n\n       2. Establish a review process for determining the validity of annual assurance\n          statements;\n\n       3. Establish an oversight process to enforce proper CSAM use for all systems;\n\n       4. Assess the risk of continuing to host DOI data at the DDC based on NPS\xe2\x80\x99 A&A\n          activities; and\n\n       5. Document and approve appropriate service level requirements and operational and\n          security role expectations for continued use of NPS\xe2\x80\x99 hosting services.\n\n\n\n\n                                                                                                   5\n\x0c       We recommend that NPS:\n\n       1. Perform an accurate A&A for the CDN, the DDC, and One GSS following all\n          applicable laws, regulations, and requirements to continue to operate;\n\n       2. Establish a process to identify systems with inadequate A&A;\n\n       3. Upload all system documentation for all information systems, including the CDN, the\n          DDC, and One GSS, to CSAM immediately after approval;\n\n       4. Establish a process to enforce proper CSAM use for all NPS systems;\n\n       5. Perform a new business impact analysis for both the DDC and One GSS based on\n          customer data and recovery time objectives;\n\n       6. Update contingency plans incorporating customer recovery time objectives and\n          expectations, accurate system inventories, and lessons learned from the recent outage;\n\n       7. Update the facility power capabilities or migrate the web hosting platform to a facility\n          that meets physical and environmental requirements if NPS is required to meet\n          customer recovery time objectives and expectations;\n\n       8. Design and conduct annual contingency plan tests; and\n\n       9. Document in writing and approve all agreements for providing web hosting services.\n\n        Please provide us with your written response to this report within 30 days. The response\nshould provide information on actions taken or planned to address the recommendations, as well\nas target dates and title(s) of the official(s) responsible for implementation. Please send your\nresponse to:\n\n              Kimberly Elmore\n              Assistant Inspector General\n              Office of Audits, Inspections, and Evaluations\n              U.S. Department of the Interior\n              Office of Inspector General\n              Mail Stop 4428\n              1849 C Street, NW.\n              Washington, DC 20240\n\nScope and Methodology\n\n       We focused our inspection on DOI, OIG, and NPS website hosting associated with the\nwebsite outages in early January 2014. We reviewed the NPS services at the NPS data center in\nLakewood, CO, and interviewed staff at DOI\xe2\x80\x99s Office of the Chief Information Officer, DOI\xe2\x80\x99s\nOffice of Communications, NPS, and OIG. We also observed the physical environment at the\nNPS data center. Lastly, we reviewed Federal requirements for information systems and relevant\n\n\n                                                                                                6\n\x0cDOI, NPS, and OIG security documentation, policies, and procedures related to information\nsecurity. We conducted this inspection in January 2014.\n\n        Although we included OIG data as part of the inspection sample, we conducted our\ninspection in accordance with the Quality Standards for Inspection and Evaluation as put forth by\nthe Council of the Inspectors General on Integrity and Efficiency. We believe that the work\nperformed provides a reasonable basis for our conclusions and recommendations.\n\n        OIG was not exposed to any undue influence during this assignment. Following our\nstandard inspection procedures, OIG management was not involved in the daily activities of the\ninspection but did review and approve the working papers. The inspection team executed our\ninternal procedures of indexing and referencing their findings, which involves linking the\nstatements in the report to specific working papers and having an independent referencer verify\nthe indexes to support all facts, figures, and findings. These review controls ensured that OIG\nremained independent and that the inspection was conducted in accordance with the Quality\nStandards.\n\n      The legislation creating the Office of Inspector General requires that we report to\nCongress semiannually on all audit, inspection, and evaluation reports issued; actions taken to\nimplement our recommendations; and recommendations that have not been implemented.\n\n       If you have any questions regarding this report, please contact me at 202-208-5745.\n\n\ncc:    NPS Information Officer\n       DOI Office of Communications\n\n\n\n\n                                                                                                  7\n\x0c                                                                                       Appendix 1\n\n\nFederal and Agency Policies and Procedures\n\nFederal Law, Policy, Standards, and Guidance\n\n   \xe2\x80\xa2   Federal Information Security Management Act of 2002 (FISMA): FISMA establishes\n       the information security responsibilities of the head of each agency. This includes the\n       responsibility for the security of any information system used or operated by an agency or\n       by a contractor of an agency or other organization on behalf of an agency. Under FISMA,\n       the National Institute of Standards and Technology (NIST) is tasked with developing\n       standards and guidelines. FISMA requires regular review and testing of all policies,\n       procedures, and practices.\n\n   \xe2\x80\xa2   Office of Management and Budget (OMB) Memo 11-33, \xe2\x80\x9cFiscal Year 2011\n       Reporting Instructions for the Federal Information Security Management Act and\n       Agency Privacy Management,\xe2\x80\x9d September 14, 2011: OMB Memo 11-33 discusses the\n       change from annual certification and accreditation to an ongoing risk-based approach to\n       assessment and authorization (A&A) for ensuring the security of Federal information\n       systems.\n\n   \xe2\x80\xa2   OMB Memo 14-03, \xe2\x80\x9cEnhancing the Security of Federal Information and\n       Information Systems,\xe2\x80\x9d November 18, 2013: OMB Memo 14-03 establishes timelines\n       for the requirement to migrate to the risk management framework and continuous\n       monitoring model used for ongoing A&A.\n\n   \xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199, \xe2\x80\x9cStandards for\n       Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d\n       February 2004: Agencies first categorize their information and systems as required by\n       FIPS 199. This helps to ensure that appropriate security requirements and security\n       controls are applied to all Federal information and information systems including Cloud\n       computing.\n\n   \xe2\x80\xa2   FIPS Publication 200, \xe2\x80\x9cMinimum Security Requirements for Federal Information\n       and Information Systems,\xe2\x80\x9d March 2006: After completing the categorization process\n       in FIPS 199, agencies are then required to select an appropriate set of security controls\n       from NIST Special Publication 800-53 to satisfy minimum security requirements. FIPS\n       200 and NIST Special Publication 800-53 help ensure that appropriate security\n       requirements and security controls are applied to all Federal information and information\n       systems. The assessment of risk determines the initial security control selection and\n       determines if any additional controls are needed to protect organizational operations\n       (including mission, functions, image, or reputation). The resulting set of required security\n       controls establishes a level of security due diligence for the organization.\n\n   \xe2\x80\xa2   NIST Special Publication 800-53 Revision 3, \xe2\x80\x9cRecommended Security Controls for\n       Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, includes updates as\n       of May 1, 2010: NIST Special Publication 800-53 defines all security controls applicable\n       to Federal information systems and covers the steps in the risk management framework\n\n\n                                                                                                  8\n\x0c                                                                                       Appendix 1\n\n\n       that address security control selection. In this document, security controls related to 18\n       security control families are available for organizations to select when they undergo the\n       FIPS 200 control selection process. Each security control family contains the specific\n       security controls related to the security functionality of the family, including security\n       assessment and authorization, contingency planning, physical and environmental\n       protection, and risk assessment.\n\n   \xe2\x80\xa2   NIST Special Publication 800-37, \xe2\x80\x9cGuide for Applying the Risk Management\n       Framework to Federal Information Systems,\xe2\x80\x9d February 2010: The risk management\n       framework (RMF) describes a disciplined and structured process that integrates\n       information security and risk management activities into the system development life\n       cycle. The RMF defines an authorization boundary and states that all components of an\n       information system be authorized for operation by an authorizing official. Initial\n       authorization to operate is based on evidence available at one point in time, but systems\n       and environments of operation change. Ongoing assessment of security control\n       effectiveness supports a system\xe2\x80\x99s security A&A over time in highly dynamic\n       environments of operation with changing threats, vulnerabilities, technologies, and\n       missions and business processes. The RMF is the process for obtaining system\n       authorization and, more generally, for managing and continually monitoring information\n       security and information system-related risk.\n\n   \xe2\x80\xa2   NIST Special Publication 800-137, \xe2\x80\x9cInformation Security Continuous Monitoring\n       for Federal Information Systems and Organizations,\xe2\x80\x9d September 2011: NIST Special\n       Publication 800-137 states that agencies must develop information security continuous\n       monitoring (ISCM) activities that include multiple tiers of an organization. There are\n       different responsibilities for each tier in order for a system to obtain authorization to\n       operate and each tier must continually monitor security controls to maintain that\n       authorization. The ISCM process must also include organizationally determined\n       assessment and monitoring frequencies. Through ISCM, new threat or vulnerability\n       information is evaluated as it becomes available, permitting organizations to make\n       adjustments to security requirements or individual controls as needed to maintain\n       authorization decisions.\n\nDOI Policy and Guidance\n\n   \xe2\x80\xa2   Office of the Chief Information Officer (OCIO) Directive 2011-006, \xe2\x80\x9cInformation\n       System Boundary Assessment & Authorization Package Documentation and\n       Inventory,\xe2\x80\x9d March 23, 2011: OCIO Directive 2011-006 establishes Cyber Security\n       Assessment and Management (CSAM) as the official repository for all A&A\n       documentation and provides instructions to bureaus for the proper use of the system. It\n       also provides detailed guidance on how to establish information system and subsystem\n       boundary relationships between general support systems, major applications, and minor\n       applications.\n\n   \xe2\x80\xa2   OCIO Memorandum 0000228, \xe2\x80\x9cOngoing Assessment and Authorization Through\n       Continuous Monitoring,\xe2\x80\x9d March 16, 2012: CIO 0000228 redefines the certification and\n\n\n                                                                                                    9\n\x0c                                                                                   Appendix 1\n\n\n    accreditation guidance to be called the A&A process and requires the implementation of\n    the risk management framework and continuous monitoring instead of conducting annual\n    reauthorizations.\n\n\xe2\x80\xa2   OCIO Memorandum, \xe2\x80\x9cContractor Systems,\xe2\x80\x9d September 30, 2013: The OCIO\n    contractor systems memorandum provides a clear definition of each type of contractor\n    system and provides clarification to bureaus that all contractor systems must also obtain\n    authority to operate through the A&A process.\n\n\n\n\n                                                                                            10\n\x0c          Report Fraud, Waste,\n          and Mismanagement\n              Fraud, waste, and mismanagement in\n             Government concern everyone: Office\n            of Inspector General staff, departmental\n             employees, and the general public. We\n                actively solicit allegations of any\n            inefficient and wasteful practices, fraud,\n                 and mismanagement related to\n             departmental or Insular Area programs\n                 and operations. You can report\n                allegations to us in several ways.\n\n\nBy Internet:       www.doi.gov/oig/index.cfm\n\nBy Phone:          24-Hour Toll Free:                800-424-5081\n                   Washington Metro Area:            202-208-5300\n\nBy Fax:            703-487-5402\n\nBy Mail:           U.S. Department of the Interior\n                   Office of Inspector General\n                   Mail Stop 4428 MIB\n                   1849 C Street, NW.\n                   Washington, DC 20240\n\x0c"